Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Once again, security researchers have demonstrated at a Pwn2Own event that fully patched mobile devices are at risk from zero-day vulnerabilities.

At Mobile Pwn2Own 2018, held in Tokyo Nov 13-14, sponsor Trend Micro's Zero Day Initiative (ZDI) awarded a total of $325,000 to security researchers. Across the two-day event, researchers reported more than 16 new vulnerabilities, exposing risks in fully patched Apple iPhone, Samsung Galaxy S9 and Xiaomi Mi6 phones.

"We were surprised to see how popular the Xiaomi handset was, with five targets," Dustin Childs, communications manager for ZDI, told eWEEK. "Another positive surprise was a full day of successes on Day 1. That’s a rarity for Pwn2Own."

Further reading

The Pwn2Own contest is held twice a year. The first event, held in March, focused on desktop systems, and the second event targeted mobile devices. For the desktop event, researchers were awarded a total of $267,000 for disclosing new flaws in Apple Safari, Mozilla Firefox, Microsoft Edge and Oracle VirtualBox. At the 2017 Mobile Pwn2Own, ZDI awarded researchers a total of $515,000 for disclosing 32 vulnerabilities.

Vulnerabilities

The team known as Fluoroacetate, which included security researchers Amat Cama and Richard Zhu, ended up winning the overall event by demonstrating multiple vulnerabilities. The first bug demonstrated by the Fluoroacetate team was an NFC (near-field communications) issue in the Xiaomi Mi6 handset. That bug earned Fluoroacetate $30,000.

"Using the touch-to-connect feature, they forced the phone to open the web browser and navigate to their specially crafted webpage," Childs blogged. "The webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution on the phone."

Fluoroacetate also exploited the Samsung Galaxy S9 via a vulnerability in the baseband component of the phone. ZDI awarded $50,000 for the baseband issue, which enabled a memory heap overflow.

Looking beyond Android, Fluoroacetate also took aim at a fully patched Apple iPhone X and was able to exploit a pair of bugs via WiFi. One vulnerability was in the iOS web browser, while the second issue was identified as an out-of-bounds write for the sandbox escape and escalation. ZDI awarded Fluoroacetate $60,000 for the attack. While the attack Fluoroacetate demonstrated was specifically against Apple's iOS mobile operating system, given that there are some shared libraries with the macOS operating system, there potentially could be some risk for Apple's desktop users as well.

"We have not tested it on macOS, but it wouldn’t be surprising to see collisions there," Childs said.

On the second day of Mobile Pwn2Own, the Fluoroacetate team continued its assault on the iPhone X, demonstrating another pair of bugs that enabled them to exfiltrate data from the iPhone. The two flaws included a bug in the JIT compiler with out-of-bounds access, earning the team an additional $50,000.

Rounding out the Fluoroacetate team's success was a flaw it discovered in the JavaScript engine of the Xiaomi web browser that was used by the researchers to exfiltrate a picture from the phone. That attack earned the researchers $25,000. Fluoroacetate, however, failed on its final attempt of the contest, where the team targeted the iPhone X in the baseband category.

IoT

While researchers made quick work of the mobile phones available for attack at Mobile Pwn2Own, no one made an attempt at the internet of things (IoT) devices that were also part of the contest.

IoT is a new category to the contest this year, with targets including the Apple Watch Series 3, Amazon Echo (2nd Generation), Google Home, Nest Cam IQ Indoor and the Amazon Cloud Cam Security Camera.

"We didn’t have anyone target the IoT category this year," Childs said. "This is not surprising, as it often takes a year or two before we see attempts against new categories in Pwn2Own."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.